diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch | 92 |
1 files changed, 0 insertions, 92 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch deleted file mode 100644 index f3d2bb1375..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:35 +0800 | ||
4 | Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time | ||
5 | out | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | At the end of sdhci_send_command(), it starts a data transfer if the | ||
11 | command register indicates data is associated. But the data transfer | ||
12 | should only be initiated when the command execution has succeeded. | ||
13 | |||
14 | With this fix, the following reproducer: | ||
15 | |||
16 | outl 0xcf8 0x80001810 | ||
17 | outl 0xcfc 0xe1068000 | ||
18 | outl 0xcf8 0x80001804 | ||
19 | outw 0xcfc 0x7 | ||
20 | write 0xe106802c 0x1 0x0f | ||
21 | write 0xe1068004 0xc 0x2801d10101fffffbff28a384 | ||
22 | write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f | ||
23 | write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 | ||
24 | write 0xe1068003 0x1 0xfe | ||
25 | |||
26 | cannot be reproduced with the following QEMU command line: | ||
27 | |||
28 | $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ | ||
29 | -device sdhci-pci,sd-spec-version=3 \ | ||
30 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
31 | -device sd-card,drive=mydrive \ | ||
32 | -monitor none -serial none -qtest stdio | ||
33 | |||
34 | Cc: qemu-stable@nongnu.org | ||
35 | Fixes: CVE-2020-17380 | ||
36 | Fixes: CVE-2020-25085 | ||
37 | Fixes: CVE-2021-3409 | ||
38 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
39 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
40 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
41 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
42 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
43 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
44 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
45 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
46 | Acked-by: Alistair Francis <alistair.francis@wdc.com> | ||
47 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
48 | Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
49 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
50 | Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> | ||
51 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
52 | |||
53 | Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8] | ||
54 | CVE: CVE-2021-3409 | ||
55 | |||
56 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
57 | --- | ||
58 | hw/sd/sdhci.c | 4 +++- | ||
59 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
60 | |||
61 | diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c | ||
62 | index f83c5e295..44f8a82ea 100644 | ||
63 | --- a/hw/sd/sdhci.c | ||
64 | +++ b/hw/sd/sdhci.c | ||
65 | @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) | ||
66 | SDRequest request; | ||
67 | uint8_t response[16]; | ||
68 | int rlen; | ||
69 | + bool timeout = false; | ||
70 | |||
71 | s->errintsts = 0; | ||
72 | s->acmd12errsts = 0; | ||
73 | @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) | ||
74 | trace_sdhci_response16(s->rspreg[3], s->rspreg[2], | ||
75 | s->rspreg[1], s->rspreg[0]); | ||
76 | } else { | ||
77 | + timeout = true; | ||
78 | trace_sdhci_error("timeout waiting for command response"); | ||
79 | if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { | ||
80 | s->errintsts |= SDHC_EIS_CMDTIMEOUT; | ||
81 | @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) | ||
82 | |||
83 | sdhci_update_irq(s); | ||
84 | |||
85 | - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
86 | + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
87 | s->data_count = 0; | ||
88 | sdhci_data_transfer(s); | ||
89 | } | ||
90 | -- | ||
91 | 2.29.2 | ||
92 | |||